US10986081B1ActiveUtility
Cross-organization registration for single sign-on
Est. expirySep 28, 2037(~11.2 yrs left)· nominal 20-yr term from priority
H04L 63/108H04L 63/105H04L 63/104H04L 63/083H04L 63/0815
93
PatentIndex Score
13
Cited by
5
References
20
Claims
Abstract
A managed directory service receives a request from a first service to link a directory of a contractor service to the first service's directory. The managed directory service identifies a group within the directory of the contractor service and links the directories using this group. Through the link, the managed directory service enables users in the group to authenticate to the first service's directory using credentials for the directory of the contractor service.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A computer-implemented method, comprising:
creating a first group in a first directory;
obtaining a first request to link a second directory to the first directory via the first group, the first request specifying an expiration condition for the link;
transmitting a second request to authorize linkage of the second directory to the first directory;
obtaining selection of a second group of the second directory;
associating users of the second group with users in the first group;
enabling the users in the first group to authenticate to the first directory using respective credentials of the users of the second group of the second directory;
detecting, at a time after enabling the users in the first group to authenticate to the first directory, that the expiration condition is met; and
as a result of the expiration condition being met, severing the link between the second directory to the first directory.
2. The computer-implemented method of claim 1 , wherein the method further comprises:
obtaining a third request to remove the first group from the first directory; and
in response to the third request, severing the link between the second directory to the first directory.
3. The computer-implemented method of claim 1 , wherein associating the users of the second group with the users in the first group includes:
detecting addition of the users of the second group to the second group; and
updating the first group to include respective users corresponding to the users of the second group.
4. The computer-implemented method of claim 1 , wherein the method further comprises:
obtaining a request to remove a user from the first group; and
removing the user from the second group.
5. A system, comprising:
one or more machine-readable mediums having stored thereon a set of instructions, which if performed by one or more processors, cause the system to at least:
obtain a request to link a second directory to a first directory, wherein:
the first directory and the second directory are managed directories that regulate access to resources via an access policy; and
the link is subject to an expiration condition specified in the request;
determine a group in the second directory; and
enable users in the group to authenticate to the first directory using credentials for the second directory;
at a time after enabling the users in the group to authenticate to the first directory, terminate the link between the second directory to the first directory as a result of detecting that the expiration condition is met.
6. The system of claim 5 , wherein the set of instructions further cause the system to:
generate, in response to the request, a second group within the first directory;
detect addition of the users to the group in the second directory; and
update the second group to include respective users corresponding to the users.
7. The system of claim 5 , wherein the set of instructions further cause the system to:
provide a second request to obtain authorization of the link of the second directory to the first directory; and
establish the link between the second directory and the first directory in response to receiving an indication specifying that the link is authorized.
8. The system of claim 5 , wherein
the set of instructions further cause the system to prevent the users in the group from authenticating to the first directory using the credentials for the second directory as a result of terminating the link.
9. The system of claim 5 , wherein the set of instructions further cause the system to:
obtain a request to remove a user from the group;
remove the user from the group; and
prevent the user from authenticating to the first directory using a set of credentials of the user for the second directory.
10. The system of claim 5 , wherein the set of instructions further cause the system to transmit, in response to the request, a second request to generate the group in the second directory.
11. The system of claim 5 , wherein:
the second directory defines attributes of the users in the group; and
the attributes are accessible via the first directory in a read-only format.
12. The system of claim 5 , wherein the set of instructions further cause the system to:
obtain a request to remove the group from the second directory; and
in response to the request, terminate the link.
13. A non-transitory computer-readable storage medium storing thereon executable instructions that, if executed by one or more processors of a computer system, cause the computer system to at least:
obtain a request to link a second directory to a first directory;
determine selection of a group in the second directory;
enable users in the group to authenticate to the first directory using credentials for the second directory;
detect that an expiration condition for the link has been met; and
prevent the users in the group from authenticating to the first directory using the credentials for the second directory as a result of the expiration condition being met.
14. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further cause the computer system to:
remove, in response to a second request, a user from the group; and
prevent the user from authenticating to the first directory using a set of credentials of the user for the second directory.
15. The non-transitory computer-readable storage medium of claim 13 , wherein:
the second directory defines attributes of the users in the group; and
the instructions further cause the computer system to provide the attributes of the users via the first directory in a read-only format.
16. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further cause the computer system to transmit, in response to the request, a second request to approve the link and to generate the group in the second directory.
17. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further cause the computer system to establish the link between the second directory and the first directory in response to receiving an indication specifying that the link is authorized.
18. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further cause the computer system to:
generate, in response to the request, a second group within the first directory; and
update the second group to include respective users corresponding to the users in the group in the second directory.
19. The non-transitory computer-readable storage medium of claim 13 , wherein the instructions further cause the computer system to:
obtain a request to remove the group from the second directory;
remove the group from the second directory; and
terminate the link.
20. The non-transitory computer-readable storage medium of claim 13 , wherein further as a result of detecting that the expiration condition is met, severing the link between the second directory and the first directory.Join the waitlist — get patent alerts
Track US10986081B1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.